brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): expand notes

Browse Source
This commit is contained in:
Michele Cereda
2025-07-06 23:40:53 +02:00
parent 0b4777e7bf
commit f9f7b497ac
5 changed files with 95 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
knowledge base/acronyms and abbreviations.md
View File

@@ -25,6 +25,7 @@
| CD | Continuous Deployment | | | CD | Continuous Deployment | |
| CDN | Content Delivery Network | | | CDN | Content Delivery Network | |
| CI | Continuous Integration | | | CI | Continuous Integration | |
| CIDR | Classless Inter-Domain Routing | |
| CLI | Command Line Interface | | | CLI | Command Line Interface | |
| CMS | Content Management System | | | CMS | Content Management System | |
| CN | Canonical Name | In Active Directory, the full path of an object in a canonical format | | CN | Canonical Name | In Active Directory, the full path of an object in a canonical format |

68
knowledge base/cloud computing/aws/README.md
View File

@@ -71,16 +71,30 @@ subsequent requests that API receives.
VPCs define isolated virtual networking environments.<br/> VPCs define isolated virtual networking environments.<br/>
AWS accounts include one default VPC for each AWS Region. AWS accounts include one default VPC for each AWS Region.
Every VPC will have at least one CIDR block.<br/>
Every new AWS account will have one default VPC in every region, all with the `172.31.0.0/16` CIDR block assigned.
VPCs can be _peered_ to enable direct connectivity between them via private IP addresses.<br/> VPCs can be _peered_ to enable direct connectivity between them via private IP addresses.<br/>
The peer connection also requires exchanging route table entries between the VPCs. The peer connection also requires exchanging route table entries between the VPCs.
Subnets are ranges of IP addresses in VPCs.<br/> Subnets are virtual networks, each of which carves out smaller range of IP addresses from their VPC's CIDR block.<br/>
Each subnet resides in a single Availability Zone.<br/> Each subnet resides in a single Availability Zone.<br/>
_Public_ subnets have a direct route to an Internet gateway. Resources in public subnets **can** access the public _Public_ subnets have a direct route to an Internet gateway. Resources in public subnets **can** access the public
Internet.<br/> Internet.<br/>
_Private_ subnets do **not** have a direct route to an Internet gateway. Resources in private subnets **require** a NAT _Private_ subnets do **not** have a direct route to an Internet gateway. Resources in private subnets **require** a NAT
device to access the public internet. device to access the public internet.
_Security groups_ control the traffic in and out of the resources associated with them, like firewalls would do.<br/>
_Security group rules_ are **stateful**, meaning that connections initiated from the security group will allow the
corresponding answers to come back in (but not new connections).<br/>
The default value for Egress traffic is to allow all connections.
_Network Access Control Lists_ also control the traffic in and out. However, they are associated with subnets, and
affect all resources within that subnet.<br/>
NACLs are **stateless**, meaning that both the Inbound and Outbound rules must match traffic patterns to allow
communications in **any** direction.<br/>
_NACL rules_ allow all traffic by default. They also have a priority.
Gateways connect VPCs to other networks.<br/> Gateways connect VPCs to other networks.<br/>
[_Internet gateways_][connect to the internet using an internet gateway] connect VPCs to the Internet.<br/> [_Internet gateways_][connect to the internet using an internet gateway] connect VPCs to the Internet.<br/>
[_NAT gateways_][nat gateways] allow resources in private subnets to connect to the Internet, other VPCs, or on-premises [_NAT gateways_][nat gateways] allow resources in private subnets to connect to the Internet, other VPCs, or on-premises
@@ -88,6 +102,10 @@ networks. They can communicate with services outside the VPC, but cannot receive
[_VPC endpoints_][access aws services through aws privatelink] connect VPCs to AWS services privately, without the need [_VPC endpoints_][access aws services through aws privatelink] connect VPCs to AWS services privately, without the need
of Internet gateways or NAT devices. of Internet gateways or NAT devices.
_Route tables_ control how traffic flows throughout, and in or out, a VPC.<br/>
They are associated with subnets, and affect all resources within those subnets.<br/>
By default, a VPC only comes with a single route table. It is referred to as the `Main` route table.
By default, connections to AWS services use the services' **public** endpoint. By default, connections to AWS services use the services' **public** endpoint.
Traffic from instances in **public** subnets is routed to the VPC's internet gateway, then forwarded to the requested Traffic from instances in **public** subnets is routed to the VPC's internet gateway, then forwarded to the requested
@@ -109,7 +127,7 @@ graph LR
end end
ei --> ig ei --> ig
ig --> i ig --> i
ig --> as i --> as
``` ```
</details> </details>
@@ -138,14 +156,39 @@ graph LR
ei --> ng ei --> ng
ng --> ig ng --> ig
ig --> i ig --> i
ig --> as i --> as
``` ```
</details> </details>
[PrivateLink] leverages VPC endpoints to create a private and direct connection between a VPC and an AWS service.<br/> [PrivateLink] leverages VPC endpoints to create a private and direct connection between a VPC and an AWS service.<br/>
[Gateway endpoints] do the same in a more convenient way that does not use Elastic Network Interfaces, but can be used [Gateway endpoints] do the same in a more convenient way that does not use Elastic Network Interfaces, but are only
only for some services ([S3] and DynamoDB). supported by specific AWS services ([S3] and DynamoDB).
<details style="padding: 0 0 1rem 1rem">
```mermaid
graph LR
i(Internet)
subgraph Region
direction LR
subgraph VPC
subgraph Public Network
ng(NAT Gateway)
end
subgraph Private Network
ei(Instance)
end
ge(Gateway<br/>Endpoint)
ig(Internet<br/>Gateway)
end
as(AWS Service)
end
ei --> ge
ge --> as
```
</details>
[Direct Connect] creates a dedicated network connection between on-premises data centers or offices and AWS. [Direct Connect] creates a dedicated network connection between on-premises data centers or offices and AWS.
@@ -772,6 +815,8 @@ machine if not.
- [Tools to Build on AWS] - [Tools to Build on AWS]
- [Boto3 documentation] - [Boto3 documentation]
- [More info about resource deprecation?] - [More info about resource deprecation?]
- [What Is OIDC and Why Do We Need It?]
- [AWS Fundamentals Blog]
### Sources ### Sources
@@ -803,6 +848,12 @@ machine if not.
- [What is AWS Global Accelerator?] - [What is AWS Global Accelerator?]
- [How AWS Global Accelerator works] - [How AWS Global Accelerator works]
- [Using Amazon CloudWatch with AWS Global Accelerator] - [Using Amazon CloudWatch with AWS Global Accelerator]
- [Gateway Endpoints vs Internet Routing for S3]
- Introduction to the AWS Virtual Private Cloud (VPC) -
[Part 1][Introduction to the AWS Virtual Private Cloud (VPC) - Part 1],
[Part 2][Introduction to the AWS Virtual Private Cloud (VPC) - Part 2],
[Part 3][Introduction to the AWS Virtual Private Cloud (VPC) - Part 3]
- [VPC Endpoints: Secure and Direct Access to AWS Services]
<!-- <!--
Reference Reference
@@ -894,5 +945,12 @@ machine if not.
[aws savings plans vs. reserved instances: when to use each]: https://www.cloudzero.com/blog/savings-plans-vs-reserved-instances/ [aws savings plans vs. reserved instances: when to use each]: https://www.cloudzero.com/blog/savings-plans-vs-reserved-instances/
[date & time policy conditions at aws - 1-minute iam lesson]: https://www.youtube.com/watch?v=4wpKP1HLEXg [date & time policy conditions at aws - 1-minute iam lesson]: https://www.youtube.com/watch?v=4wpKP1HLEXg
[difference in boto3 between resource, client, and session?]: https://stackoverflow.com/questions/42809096/difference-in-boto3-between-resource-client-and-session [difference in boto3 between resource, client, and session?]: https://stackoverflow.com/questions/42809096/difference-in-boto3-between-resource-client-and-session
[Gateway Endpoints vs Internet Routing for S3]: https://awsfundamentals.com/blog/gateway-endpoints-vs-internet-routing-s3
[Introduction to the AWS Virtual Private Cloud (VPC) - Part 1]: https://awsfundamentals.com/blog/amazon-vpc-introduction-part-1
[Introduction to the AWS Virtual Private Cloud (VPC) - Part 2]: https://awsfundamentals.com/blog/introduction-to-the-aws-virtual-private-cloud-vpc-part-2
[Introduction to the AWS Virtual Private Cloud (VPC) - Part 3]: https://awsfundamentals.com/blog/amazon-vpc-introduction-part-3
[Learn AWS]: https://www.learnaws.org/ [Learn AWS]: https://www.learnaws.org/
[using aws kms via the cli with a symmetric key]: https://nsmith.net/aws-kms-cli [using aws kms via the cli with a symmetric key]: https://nsmith.net/aws-kms-cli
[VPC Endpoints: Secure and Direct Access to AWS Services]: https://awsfundamentals.com/blog/vpc-endpoints
[What Is OIDC and Why Do We Need It?]: https://awsfundamentals.com/blog/oidc-introduction
[AWS Fundamentals Blog]: https://awsfundamentals.com/blog

24
knowledge base/cloud computing/aws/ecs.md
View File

@@ -7,6 +7,7 @@
1. [Launch type](#launch-type) 1. [Launch type](#launch-type)
1. [EC2 launch type](#ec2-launch-type) 1. [EC2 launch type](#ec2-launch-type)
1. [Fargate launch type](#fargate-launch-type) 1. [Fargate launch type](#fargate-launch-type)
1. [External launch type](#external-launch-type)
1. [Capacity providers](#capacity-providers) 1. [Capacity providers](#capacity-providers)
1. [EC2 capacity providers](#ec2-capacity-providers) 1. [EC2 capacity providers](#ec2-capacity-providers)
1. [Fargate for ECS](#fargate-for-ecs) 1. [Fargate for ECS](#fargate-for-ecs)
@@ -227,6 +228,8 @@ Available service scheduler strategies:
## Launch type ## Launch type
Defines the underlying infrastructure effectively running containers within ECS.
### EC2 launch type ### EC2 launch type
Starts tasks onto _registered_ EC2 instances. Starts tasks onto _registered_ EC2 instances.
@@ -243,6 +246,11 @@ Starts tasks on dedicated, managed EC2 instances that are **not** reachable by t
Instances are automatically provisioned, configured, and registered to scale one's cluster capacity.<br/> Instances are automatically provisioned, configured, and registered to scale one's cluster capacity.<br/>
The service takes care itself of all the infrastructure management for the tasks. The service takes care itself of all the infrastructure management for the tasks.
### External launch type
Manages containers running **outside** the ECS ecosystem, e.g., on-premises servers, other cloud providers, or hybrid
deployments.
## Capacity providers ## Capacity providers
Refer [Capacity providers][upstream capacity providers]. Refer [Capacity providers][upstream capacity providers].
@@ -674,12 +682,26 @@ Refer [Use Docker volumes with Amazon ECS].
TODO TODO
Only supported by EC2 or external instances.
### Bind mounts ### Bind mounts
Refer [Use bind mounts with Amazon ECS]. Refer [Use bind mounts with Amazon ECS].
TODO TODO
Mount files or directories from a host into a container.
Supported for tasks on both Fargate and EC2 instances.
Bind mounts are tied to the lifecycle of the container that uses them.<br/>
After all the containers using a specific bind mount stop, that data is removed.<br/>
The data can be tied to the lifecycle of an EC2 instance by specifying a `host` value in the task's definition.
Tasks running on Fargate receive a minimum of 20 GiB of ephemeral storage for bind mounts.<br/>
This can be increased up to a maximum of 200 GiB by specifying the `ephemeralStorage` parameter in the task's
definition.
## Execute commands in tasks' containers ## Execute commands in tasks' containers
Refer [Using Amazon ECS Exec to access your containers on AWS Fargate and Amazon EC2], Refer [Using Amazon ECS Exec to access your containers on AWS Fargate and Amazon EC2],
@@ -1570,6 +1592,7 @@ Specify a supported value for the task CPU and memory in your task definition.
- [Interconnect Amazon ECS services] - [Interconnect Amazon ECS services]
- [Amazon ECS Service Discovery] - [Amazon ECS Service Discovery]
- [AWS Fargate Pricing Explained] - [AWS Fargate Pricing Explained]
- [The Ultimate Beginner's Guide to AWS ECS]
<!-- <!--
Reference Reference
@@ -1654,3 +1677,4 @@ Specify a supported value for the task CPU and memory in your task definition.
[guide to using amazon ebs with amazon ecs and aws fargate]: https://stackpioneers.com/2024/01/12/guide-to-using-amazon-ebs-with-amazon-ecs-and-aws-fargate/ [guide to using amazon ebs with amazon ecs and aws fargate]: https://stackpioneers.com/2024/01/12/guide-to-using-amazon-ebs-with-amazon-ecs-and-aws-fargate/
[prometheus service discovery for aws ecs]: https://tomgregory.com/aws/prometheus-service-discovery-for-aws-ecs/ [prometheus service discovery for aws ecs]: https://tomgregory.com/aws/prometheus-service-discovery-for-aws-ecs/
[Scraping Prometheus metrics from applications running in AWS ECS]: https://towardsaws.com/scraping-prometheus-metrics-from-aws-ecs-9c8d9a1ca1bd [Scraping Prometheus metrics from applications running in AWS ECS]: https://towardsaws.com/scraping-prometheus-metrics-from-aws-ecs-9c8d9a1ca1bd
[The Ultimate Beginner's Guide to AWS ECS]: https://awsfundamentals.com/blog/aws-ecs-beginner-guide

4
knowledge base/cloud computing/aws/iam.md
View File

@@ -428,6 +428,7 @@ UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890
- [Get to Grips with AWS IAM Roles: Terms, Concepts, and Examples] - [Get to Grips with AWS IAM Roles: Terms, Concepts, and Examples]
- [What is exactly "Assume" a role in AWS?] - [What is exactly "Assume" a role in AWS?]
- [Conditions with multiple context keys or values] - [Conditions with multiple context keys or values]
- [AWS IAM Users: Understanding Identity Center, Organizations, and Federation]
<!-- <!--
Reference Reference
@@ -466,9 +467,10 @@ UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890
<!-- Others --> <!-- Others -->
[avoid the 60 minutes timeout when using the aws cli with iam roles]: https://cloudonaut.io/avoid-the-60-minutes-timeout-when-using-the-aws-cli-with-iam-roles/ [avoid the 60 minutes timeout when using the aws cli with iam roles]: https://cloudonaut.io/avoid-the-60-minutes-timeout-when-using-the-aws-cli-with-iam-roles/
[aws iam roles - everything you need to know & examples]: https://spacelift.io/blog/aws-iam-roles [aws iam roles - everything you need to know & examples]: https://spacelift.io/blog/aws-iam-roles
[AWS IAM Users: Understanding Identity Center, Organizations, and Federation]: https://awsfundamentals.com/blog/aws-iam-users
[aws.permissions.cloud]: https://aws.permissions.cloud/ [aws.permissions.cloud]: https://aws.permissions.cloud/
[get to grips with aws iam roles: terms, concepts, and examples]: https://blog.awsfundamentals.com/aws-iam-roles-terms-concepts-and-examples [get to grips with aws iam roles: terms, concepts, and examples]: https://blog.awsfundamentals.com/aws-iam-roles-terms-concepts-and-examples
[introduction to aws iam assumerole]: https://aws.plainenglish.io/introduction-to-aws-iam-assumerole-fbef3ce8e90b [introduction to aws iam assumerole]: https://aws.plainenglish.io/introduction-to-aws-iam-assumerole-fbef3ce8e90b
[using aws cli securely with iam roles and mfa]: https://dev.to/albac/using-aws-cli-securely-with-iam-roles-and-mfa-56c3 [using aws cli securely with iam roles and mfa]: https://dev.to/albac/using-aws-cli-securely-with-iam-roles-and-mfa-56c3
[you might be clueless as to why aws assume role isn't working, despite being correctly set up]: https://medium.com/@kamal.maiti/you-might-be-clueless-as-to-why-aws-assume-role-isnt-working-despite-being-correctly-set-up-1b3138519c07
[what is exactly "assume" a role in aws?]: https://stackoverflow.com/questions/50082732/what-is-exactly-assume-a-role-in-aws [what is exactly "assume" a role in aws?]: https://stackoverflow.com/questions/50082732/what-is-exactly-assume-a-role-in-aws
[you might be clueless as to why aws assume role isn't working, despite being correctly set up]: https://medium.com/@kamal.maiti/you-might-be-clueless-as-to-why-aws-assume-role-isnt-working-despite-being-correctly-set-up-1b3138519c07

4
knowledge base/cloud computing/aws/s3.md
View File

@@ -224,6 +224,7 @@ Examples: [1][lifecycle configuration examples], [2][s3 lifecycle rules example
- [Understanding and managing Amazon S3 storage classes] - [Understanding and managing Amazon S3 storage classes]
- [Using S3 Intelligent-Tiering] - [Using S3 Intelligent-Tiering]
- [Amazon S3 cost optimization for predictable and dynamic access patterns] - [Amazon S3 cost optimization for predictable and dynamic access patterns]
- [Gateway Endpoints vs Internet Routing for S3]
### Sources ### Sources
@@ -233,6 +234,7 @@ Examples: [1][lifecycle configuration examples], [2][s3 lifecycle rules example
- [CLI subcommand reference] - [CLI subcommand reference]
- [Find out the size of your Amazon S3 buckets] - [Find out the size of your Amazon S3 buckets]
- [How S3 Intelligent-Tiering works] - [How S3 Intelligent-Tiering works]
- [Amazon S3 Intelligent Tiering]
<!-- <!--
Reference Reference
@@ -261,3 +263,5 @@ Examples: [1][lifecycle configuration examples], [2][s3 lifecycle rules example
[Using S3 Intelligent-Tiering]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-intelligent-tiering.html [Using S3 Intelligent-Tiering]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-intelligent-tiering.html
<!-- Others --> <!-- Others -->
[Amazon S3 Intelligent Tiering]: https://awsfundamentals.com/blog/amazon-s3-intelligent-tiering
[Gateway Endpoints vs Internet Routing for S3]: https://awsfundamentals.com/blog/gateway-endpoints-vs-internet-routing-s3